Jump to content

password complexity


byakuya32
 Share

Recommended Posts

EricOnEmby

Please do NOT add this. I have small kids who can log in as the "kids" user, and that has a very simple password. Anyone is free to use sufficiently complex passwords if they want to. This is not protecting a bank account or a credit card. If people are fine with a simple password, let them set it up. If someone chooses a guessable password, so what?

  • Agree 1
Link to comment
Share on other sites

CloudWing93
7 minutes ago, EricOnEmby said:

Please do NOT add this. I have small kids who can log in as the "kids" user, and that has a very simple password. Anyone is free to use sufficiently complex passwords if they want to. This is not protecting a bank account or a credit card. If people are fine with a simple password, let them set it up. If someone chooses a guessable password, so what?

Features like this are usually configurable my the admin. Besides if you want to use a weak kid password just setup a pin for your kids user that can be used on the local network.

  • Like 1
  • Agree 1
Link to comment
Share on other sites

crusher11
10 hours ago, EricOnEmby said:

Please do NOT add this. I have small kids who can log in as the "kids" user, and that has a very simple password. Anyone is free to use sufficiently complex passwords if they want to. This is not protecting a bank account or a credit card. If people are fine with a simple password, let them set it up. If someone chooses a guessable password, so what?

Hackers aren't going to care what your kids want to do. 

  • Like 1
Link to comment
Share on other sites

Marijuana
2 hours ago, crusher11 said:

Hackers aren't going to care what your kids want to do. 

LOL Agreed but honestly if someone hacked your emby server what could they possibly do besides watch the price is right or some movies 😅 But for those who don't put a password for your kids there are a few things you can do to at least better protect your server. First thing is don't use the word admin for your admin account, use something with numbers and letters mixed with some uppercase added for both admin and password. Hide all accounts from showing except the kids on your emby login screen and set a limit to 1 connection and disable that kids account from being able to change the password once set. Make sure the kids account has downloading disabled and any family photos disabled "for the paranoid". Do not allow the kids account to have any access to deleting content or management control what so ever.

Reason hackers look for emby servers: Unfortunately there will always be those who run port scanners or other methods to look for emby for a number of reasons, they are looking for access to your admin panel to get your emby premiere keys, iptv m3u links, download content or just to be a pain in the butt. If they only have access to a kids login to watch barney or the smurfs they will just move on.

Link to comment
Share on other sites

EricOnEmby
3 hours ago, crusher11 said:

Hackers aren't going to care what your kids want to do. 

I was talking about a use case where Emby is running inside the home network, where kids access Emby through the smart TV in the living room. If you want to expose Emby (or anything else) to the Internet as a whole, you really need to select strong passwords, or prepare to be hacked.

Link to comment
Share on other sites

byakuya32
18 hours ago, EricOnEmby said:

Please do NOT add this. I have small kids who can log in as the "kids" user, and that has a very simple password. Anyone is free to use sufficiently complex passwords if they want to. This is not protecting a bank account or a credit card. If people are fine with a simple password, let them set it up. If someone chooses a guessable password, so what?

I was referring to just having the option to turn this on just because its a feature doesn't mean it would be forced to use and it would just ass the forcing of a capital letter a number and a symbol so that if a hacker gets in your network it slows them down where they may give up if we really want to slow them down mfa. This would be extremly useful when you have opened up the firewall and allow family to watch remotely. But it would be a checkbox you have to click to turn it on for your users not forced. Some of us want our servers protected against hackers. It is your choise to not protect it.

Edited by byakuya32
Link to comment
Share on other sites

Painkiller8818
6 hours ago, Marijuana said:

but honestly if someone hacked your emby server what could they possibly do besides watch the price is right or some movies

Depending on what account they are able to hack and the rights your configured for emby on your storage, the hacker can delete all your movies and tv shows as emby in most cases has write permissions ;)

 

If you have a non admin account that has been hacked the hacker could download all your movies and shows and this will mean your bandwidth is always fully under load in case a normal user wanna watch a movie, there is no upload available because everything is already in use ;)

Link to comment
Share on other sites

crusher11
16 hours ago, EricOnEmby said:

I was talking about a use case where Emby is running inside the home network, where kids access Emby through the smart TV in the living room. If you want to expose Emby (or anything else) to the Internet as a whole, you really need to select strong passwords, or prepare to be hacked.

So disable passwords on the LAN. 

  • Like 1
  • Agree 1
Link to comment
Share on other sites

Happy2Play
5 hours ago, crusher11 said:
22 hours ago, EricOnEmby said:

I was talking about a use case where Emby is running inside the home network, where kids access Emby through the smart TV in the living room. If you want to expose Emby (or anything else) to the Internet as a whole, you really need to select strong passwords, or prepare to be hacked.

So disable passwords on the LAN. 

Yes as you technically have 2 options, not required on LAN or a pin on LAN.

image.png.33e375d503d13bdf652b73a118e047cb.png

Link to comment
Share on other sites

byakuya32
On 12/11/2021 at 9:27 AM, Painkiller8818 said:

Depending on what account they are able to hack and the rights your configured for emby on your storage, the hacker can delete all your movies and tv shows as emby in most cases has write permissions ;)

 

If you have a non admin account that has been hacked the hacker could download all your movies and shows and this will mean your bandwidth is always fully under load in case a normal user wanna watch a movie, there is no upload available because everything is already in use ;)

exactly depends on what account they get into even worst if they get into the right account they can have full reign of the server if there are any back doors.

Link to comment
Share on other sites

8 hours ago, byakuya32 said:

if they get into the right account they can have full reign of the server if there are any back doors.

I don't believe there is any way for this to happen.  They could access your media and server settings and, if you allow deletion then they could do that which could be quite destructive but I do not believe they could gain actual access to the machine.

Link to comment
Share on other sites

Painkiller8818
2 minutes ago, ebr said:

but I do not believe they could gain actual access to the machine.

They don't need access to the machine.

Actually on every movie and show etc. in emby as an admin, there is an option to delete, and this is the problem why we need the revamp of the user permissions because this does not only delete the media file from the emby library, it is deleting the media file from storage.

So all i need is an admin account with some magical secure password like 1234 or H4cker etc... so the attacker can delete everything from within the emby web UI

Link to comment
Share on other sites

30 minutes ago, Painkiller8818 said:

Actually on every movie and show etc. in emby as an admin, there is an option to delete, and this is the problem why we need the revamp of the user permissions because this does not only delete the media file from the emby library, it is deleting the media file from storage

 

35 minutes ago, ebr said:

if you allow deletion then they could do that which could be quite destructive

You can disable delete functionality for your users if you wish.

Link to comment
Share on other sites

Happy2Play

And if you choose to give your admin account remote access it is upon you to ensure it admin account has a strong password?  

For users it only matters if you allow users to Delete.

 

Link to comment
Share on other sites

Painkiller8818
53 minutes ago, Happy2Play said:

And if you choose to give your admin account remote access it is upon you to ensure it admin account has a strong password?  

the long requested MFA feature would do that

Link to comment
Share on other sites

16 hours ago, Painkiller8818 said:

the long requested MFA feature would do that

But it is also completely within your power now to do that.  You are asking for us to make it harder to use the system in order to "protect" people from themselves.  We have to weigh that type of thing carefully against the ease of use of the system.  You, as a server owner, are completely in control of just how secure your installation is already.

Now, having said that, I think a request like this one (enforcing complex passwords) is potentially useful, but I think it should be optional so that people can remain in control of just how easy their system is to use vs how secure it is.

Link to comment
Share on other sites

Painkiller8818

Sure it is something optional but also something that's getting more and more a basic feature on most services.

Having a good and secure password is not that secure many people think, seeing a lot vulunerabilities etc. A hacker can find a way, and the complexity of the password is nothing worth in such a case.

2FA/MFA makes it much harder to bypass this, because there are only 2 ways to bypass or lets say hack 2FA/MFA atm and this would be a cookie/session hijack while i am in the same network or getting physical access to your MFA used device (phone in most cases)

While hacking a password of a normal emby server with the emby given out of the box solutions is much simpler as you may think.

Dictionary attack with a large list and a good GPU which makes 60K to 100K pw/s will do the job in most cases depending on the list.

As far as i know emby doesn't support block for 5 mins after 3 or 5 failed logins out of the box etc. so having a 2FA/MFA would help extremely to prevent somehting like that.

Sure, the weakest factor is the human itself but you also never have revamped the user permissions etc, which in my opinion is not a "feature request" it is more like a security thing and should get more priority over fixing some subtitle things.

It would be great to see this security related things having more priority over some small visual things.

Edited by Painkiller8818
Link to comment
Share on other sites

  • 2 weeks later...
AnomalousTech

+1 to this. 

I would like to be able to set a complexity requirement. I use to use the AD plugin for this reason alone. However, it didn't work as expect at all times. 

I'd also like to see 2FA/MFA as an option. Use with Google Authentication or some other app based 2FA. Doesn't need to be text or email. I suppose email would be okay if someone wants to add SMTP settings. 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...